Source code

001/*
002    Licensed to the Apache Software Foundation (ASF) under one
003    or more contributor license agreements.  See the NOTICE file
004    distributed with this work for additional information
005    regarding copyright ownership.  The ASF licenses this file
006    to you under the Apache License, Version 2.0 (the
007    "License"); you may not use this file except in compliance
008    with the License.  You may obtain a copy of the License at
009
010       http://www.apache.org/licenses/LICENSE-2.0
011
012    Unless required by applicable law or agreed to in writing,
013    software distributed under the License is distributed on an
014    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
015    KIND, either express or implied.  See the License for the
016    specific language governing permissions and limitations
017    under the License.    
018 */
019package org.apache.wiki.ui;
020
021import org.apache.wiki.api.core.Engine;
022import org.apache.wiki.api.core.Session;
023import org.apache.wiki.auth.SessionMonitor;
024import org.apache.wiki.auth.authorize.Role;
025
026import javax.servlet.http.HttpServletRequest;
027import javax.servlet.http.HttpServletRequestWrapper;
028import java.security.Principal;
029
030/**
031 * Servlet request wrapper that encapsulates an incoming HTTP request and overrides its security methods so that the request returns
032 * JSPWiki-specific values.
033 * 
034 * @since 2.8
035 */
036public class WikiRequestWrapper extends HttpServletRequestWrapper {
037
038    private final Session m_session;
039
040    /**
041     * Constructs a new wrapped request.
042     * 
043     * @param engine the wiki engine
044     * @param request the request to wrap
045     */
046    public WikiRequestWrapper( final Engine engine, final HttpServletRequest request ) {
047        super( request );
048
049        // Get and stash a reference to the current Session
050        m_session = SessionMonitor.getInstance( engine ).find( request.getSession() );
051    }
052
053    /**
054     * Returns the remote user for the HTTP request, taking into account both container and JSPWiki custom authentication status.
055     * Specifically, if the wrapped request contains a remote user, this method returns that remote user. Otherwise, if the user's
056     * Session is an authenticated session (that is, {@link Session#isAuthenticated()} returns <code>true</code>,
057     * this method returns the name of the principal returned by {@link Session#getLoginPrincipal()}.
058     */
059    @Override
060    public String getRemoteUser() {
061        if( super.getRemoteUser() != null ) {
062            return super.getRemoteUser();
063        }
064
065        if( m_session.isAuthenticated() ) {
066            return m_session.getLoginPrincipal().getName();
067        }
068        return null;
069    }
070
071    /**
072     * Returns the user principal for the HTTP request, taking into account both container and JSPWiki custom authentication status.
073     * Specifically, if the wrapped request contains a user principal, this method returns that principal. Otherwise, if the user's
074     * Session is an authenticated session (that is, {@link Session#isAuthenticated()} returns
075     * <code>true</code>, this method returns the value of {@link Session#getLoginPrincipal()}.
076     */
077    @Override
078    public Principal getUserPrincipal() {
079        if( super.getUserPrincipal() != null ) {
080            return super.getUserPrincipal();
081        }
082
083        if( m_session.isAuthenticated() ) {
084            return m_session.getLoginPrincipal();
085        }
086        return null;
087    }
088
089    /**
090     * Determines whether the current user possesses a supplied role, taking into account both container and JSPWIki custom authentication
091     * status. Specifically, if the wrapped request shows that the user possesses the role, this method returns <code>true</code>. If not,
092     * this method iterates through the built-in Role objects (<em>e.g.</em>, ANONYMOUS, ASSERTED, AUTHENTICATED) returned by
093     * {@link Session#getRoles()} and checks to see if any of these principals' names match the supplied role.
094     */
095    @Override
096    public boolean isUserInRole( final String role ) {
097        final boolean hasContainerRole = super.isUserInRole(role);
098        if( hasContainerRole ) {
099            return true;
100        }
101
102        // Iterate through all of the built-in roles and look for a match
103        final Principal[] principals = m_session.getRoles();
104        for( final Principal value : principals ) {
105            if( value instanceof Role ) {
106                final Role principal = ( Role )value;
107                if( Role.isBuiltInRole( principal ) && principal.getName().equals( role ) ) {
108                    return true;
109                }
110            }
111        }
112
113        // None of the built-in roles match, so no luck
114        return false;
115    }
116
117}